Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign–on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Get affordable, high-performance disaster recovery. We protect your workloads and help you meet or exceed RPOs and RTOs of an hour or less, with mirroring-like performance at a price point approaching tape.

Create Self-Signed Certificate Online

Using OpenSSL extension for Php

Introduction

This article will show you how to use OpenSSL features from your Php pages so you can build an Online Tool to generate your Self-Signed Certificates.

The first part explains how to generate the different components using the openssl command. These components are the following:

the Private Key: this key remains secret and will be used to digitally sign content

the Certificate Signing Request (CSR): this file contains the public key corresponding to the private key along with information such as the organizaion, country, city, etc. of the requester. The Certificate Signing Request is digitally signed with the private key before being sent to a Certificate Authority (CA).

the Public Key Certificate: this file contains the final certificate, signed by the Certificate Authority. In our case, this certificate will be self-signed.

In the second part, you will see how to use the openssl extension for Php and how this has been used to build an online page to easily generate Self-Signed Certificates.

Certificate Signing Request

You will be requested to enter the different information to be used for the certificate such as the country, city, company, section, common name:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:GE
Locality Name (eg, city) []:Geneva
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:Consulting
Common Name (eg, YOUR name) []:*.novell.com
Email Address []:mail@domain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The command created a new mycertificate.csr file containing the Certificate Signing Request. Here is a sample content of the Certificate Signing Request file (the content is base 64 encoded):

Public Key Certificate

When you have the Certificate Sigining Request file, you can submit it to a Certificate Authority to get a signed certificate or generate a Self-Signed Certificate. Usually, if you want to submit the Certificate Signing Request to a well known Certificate Authority, you can temporary generate a Self-Signed Certificate for testing purpose and then replace it with the final one sent back by the Certificate Authority.

You can generate a Self-Signed Public Key Certificate using the following command:

Using openssl module for Php

Note: You will need to have OpenSSL installed on your server and also the openssl extension for Php. Check Php documentation for more information.

Configuration

There are two arrays used for generating the different keys and Certificate Signing Request resource. The first is the config array, containing the path to the openssl.cnf file on your system and also the private key length in bits (512, 1024 or 2048; has to be an integer value, not a string value):

Array
(
[config] => /etc/ssl/openssl.cnf
[private_key_bits] => 1024
)

The second array contains all the information needed for the Certificate Signing Resource like the country, state, company, common name, etc.:

OpenSSL utility class

The OpenSSL utility class is simple and only generates and exports the different components used in this Online Tool. You can also add methods to be able to load existing components from a file (such as the Certificate Signing Request to see its details) or to encrypt / decrypt data using the Private Key and the Public Key Certificate. You can find more details on the Php documentation of the openssl extension.

Here is the different parts of the source code of this OpenSSL class. You will see at the top of the file, the path of your openssl.cnf file.

The main function used here is the do_csr() one that creates a Private Key, create the Certificate Signing Request resource and sign it with the Private Key, and then export the Private Key, the Public Key Certificate and the Certificate Signing Resource.

Catpcha protection

The file valid.php generates captcha images to protect from automated submission like the following:

The process to create such image is very simple:

an image is created from a background image, so automatic characters recognition is difficult

when called the file generates a random string (characters in black), store it in the session, generate a second random string (characters in red) and display the image. The user will have to enter the characters in black from the image which makes it even more complicated for robots to get the Security Code…

on submission, the Php script compares the Security Code entered by the user and the value from the session

Here are the different parts of the code. First, the valid.php file starts the session:

Once submitted, the Certificate Signing Resource, Public Key Certificate and the Private Key exports will be displayed on the page. You can then copy/paste the content to save the contents to different files.

Using the certificates in Apache

From there, you can import you Private Key and Public Key Certificate in Apache for the SSL configuration, for instance. If you want to setup multiple servers, you can also add one step by creating a Self-Signed Certificate Authority, using the same method, and then use this Self-Signed Certificate Authority to generate a Public Key Certificate. Then, if you import the Self-Signed Certificate Authority in your web browser, any Certificates signed by this Certificate Authority will be validated and there will be no security pop-ups.

In your configuration file, Apache should listen to port 443 (or other if non standard):

You can replace the content of server.crt and server.key with your Public Key Certificate and your Private Key you generated. You will find more detailed information on how to setup SSL with Apache on Apache web site.

Summary

Using the extension openssl for Php makes it easy to build an Online Tool to generate Self-Signed Certificates and the different components such as the Certificate Signing Request, the Private Key and the Public Key Certificate. We only used the basic features of the library and you can do much more than that. Using the different functions, you could create a whole PKI interface with Certificate Authority, encryption, decryption, signatures… Now, you can have fun with setting up SSL, with encryption, decryption and digital signatures using your certificates!

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.